search

Wenzel / pyvmidbg

LibVMI-based debug server, implemented in Python. Building a guest aware, stealth and agentless full-system debugger
GNU General Public License v3.0
217 stars 25 forks source link

Inaccurate readings randomize_layout [Linux Kernel] #48

Open pwnosaur opened 3 years ago

pwnosaur commented 3 years ago

The current implementation for the Linux kernel debugging lacks support for kernel 4.13+ because of the randomize_layout security feature which randomizes the location of struct members during the kernel compilation process, thus the offset of each element may vary resulting in inaccurate readings.

More information here about the feature https://lwn.net/Articles/722293/

note the randomized_struct_fields_start used in

Kernel 4.13+

struct task_struct 
{
#ifdef CONFIG_THREAD_INFO_IN_TASK
    struct thread_info      thread_info;
#endif
    volatile long           state;
    randomized_struct_fields_start
    void                *stack;
...

which was not yet implemented in previous kernel versions

Kernel 4.12-

struct task_struct {
#ifdef CONFIG_THREAD_INFO_IN_TASK
    struct thread_info      thread_info;
#endif
    volatile long           state;
    void                *stack;